JKLCOM
asked on
Specifying User Password in Active Directory
First, let me say that while I am experienced in LDAP, I am new to Active Directory.
My problem is that when I try to create a user in Active Directory (Windows Server 2008 R2 Standard) while logged in as an administrator and specifying the unicodePwd attribute (encoded properly with quotes, Unicode, Base64) in an LDIF file using ldifde on port 389, I get an "unwilling to perform" error. Our outsourcing contractor is having the same issue from a Java program using JNDI.
We have also tried to create the user without the unicodePwd (which is successful), but trying to modify the password using another LDIF with ldifde fails with the same "unwilling to perform."
I understand that Active Directory requires password operations on a secure connection, but I have used dsmgmt to allow password changes on unsecured connections (by using the "allow passwd op on unsecured connection" command). I have also disabled any password policies.
I then thought that maybe Active Directory requires password operations on a secure connection regardless of the dsmgmt command. I went through the whole exercise of creating a standalone CA, trusting the CA certificate, creating a server certificate, importing the server certificate, etc, but I am unable to connect to AD using SSL on port 636 using ldp.
I have used the following links as reference:
https://www.experts-exchange.com/questions/24521841/LDAPS-on-DC-with-Internal-CA.html
http://support.microsoft.com/kb/321051/en-us
http://support.microsoft.com/kb/931351
http://social.technet.microsoft.com/Forums/en/windowsserver2008r2general/thread/f3de8600-cf4e-4a39-a42e-7f929e1b8d6d
http://social.technet.microsoft.com/Forums/en-GB/windowsserver2008r2general/thread/c0d13777-3f1b-4805-94a2-ac56f3cecbf3
I'm looking for any suggestions about the creating user problem or getting AD working over SSL.
I'd be glad to answer any questions about my current configuration, but please be very basic about what you want to know and how to get that information. My background is in Unix, so I may not know what you are referring to unless it comes from a basic viewpoint. Thanks.
My problem is that when I try to create a user in Active Directory (Windows Server 2008 R2 Standard) while logged in as an administrator and specifying the unicodePwd attribute (encoded properly with quotes, Unicode, Base64) in an LDIF file using ldifde on port 389, I get an "unwilling to perform" error. Our outsourcing contractor is having the same issue from a Java program using JNDI.
We have also tried to create the user without the unicodePwd (which is successful), but trying to modify the password using another LDIF with ldifde fails with the same "unwilling to perform."
I understand that Active Directory requires password operations on a secure connection, but I have used dsmgmt to allow password changes on unsecured connections (by using the "allow passwd op on unsecured connection" command). I have also disabled any password policies.
I then thought that maybe Active Directory requires password operations on a secure connection regardless of the dsmgmt command. I went through the whole exercise of creating a standalone CA, trusting the CA certificate, creating a server certificate, importing the server certificate, etc, but I am unable to connect to AD using SSL on port 636 using ldp.
I have used the following links as reference:
https://www.experts-exchange.com/questions/24521841/LDAPS-on-DC-with-Internal-CA.html
http://support.microsoft.com/kb/321051/en-us
http://support.microsoft.com/kb/931351
http://social.technet.microsoft.com/Forums/en/windowsserver2008r2general/thread/f3de8600-cf4e-4a39-a42e-7f929e1b8d6d
http://social.technet.microsoft.com/Forums/en-GB/windowsserver2008r2general/thread/c0d13777-3f1b-4805-94a2-ac56f3cecbf3
I'm looking for any suggestions about the creating user problem or getting AD working over SSL.
I'd be glad to answer any questions about my current configuration, but please be very basic about what you want to know and how to get that information. My background is in Unix, so I may not know what you are referring to unless it comes from a basic viewpoint. Thanks.
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
@ActiveDirectoryman:
I removed the standalone CA role and then added in the enterprise CA role. I tried ldp over SSL again, and again it did not work. However, I rebooted and then it started working. Strange how it tells you to reboot when removing the standalone CA, but it doesn't tell you to reboot when adding the enterprise CA.
Also, I was then able to create users with specified password or modify passwords of existing workers with null passwords when using port 636. Apparently the dsmgmt command doesn't have any effect on AD DS (even though it worked for AD LDS).
Thanks for your help.
@CERTExpert:
I was running ldifde on the CA machine itself so it shouldn't have had any trust problems. I did have the FQDN in the subject name and SAN (following the procedure in http://support.microsoft.com/kb/931351). I didn't check whether the private key was associated since ActiveDirectoryman's suggestion worked for me.
I removed the standalone CA role and then added in the enterprise CA role. I tried ldp over SSL again, and again it did not work. However, I rebooted and then it started working. Strange how it tells you to reboot when removing the standalone CA, but it doesn't tell you to reboot when adding the enterprise CA.
Also, I was then able to create users with specified password or modify passwords of existing workers with null passwords when using port 636. Apparently the dsmgmt command doesn't have any effect on AD DS (even though it worked for AD LDS).
Thanks for your help.
@CERTExpert:
I was running ldifde on the CA machine itself so it shouldn't have had any trust problems. I did have the FQDN in the subject name and SAN (following the procedure in http://support.microsoft.com/kb/931351). I didn't check whether the private key was associated since ActiveDirectoryman's suggestion worked for me.
ASKER
Be sure to reboot after adding the enterprise CA role.
Windows Server 2008
Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.
86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
Run 'Certutil -v -verifystore my' command to see if there is an issue.